possible browser hijack on macbook air

I have a macbook air running OS X Lion ver 10.7.5 and had been having problems every time I try to open a ny site except the home page. It was either throwing a "not trusted connection" page thing(couldn't get past it no matter the exceptions) or getting redirected to facebook and some other unintelligible website. Since then, I had been using another laptop. This had been going on for over 3 months now.

However, since a couple of days back I am able to access the very same sites(on firefox) that were previously impossible to open except on the safari now. safari still seems to have some leftover hangups. Is it just browsers acting weird occassionally or somehow everythings cleaned up on its own?

Any help would be appreciated.
Thanks in advance.

Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

Main Menu Pro 3 (pay to play - $19.99 for single user - note Standard version is only $5 less and gives you the Mac daily, weekly, etc.)

CCleaner (free) - has improved Safari Cleaning - and works well and is free.

3. You may want to install VirusBarrier Express, a free app on the Mac App Store. It is an on demand antivirus software. Run that and take appropriate actions recommended if it finds something.

4. If you have Java installed, make sure it is up to date. ALSO, important, go to Apple, System Preferences, Java and it will open a separate window for Java. Under the General Tab, check the Network Settings, and might want to change to Direct Connection instead of browser settings. Under Temporary Internet Files, Settings..., click delete files.

Umm, actually, it was both safari and firefox but the latter seems to be working fine now. no issues.

And no, hadn't unchecked the "Open safe file..." option.

Don't have CCleaner on the laptops, but have installed it now.

Also, no Java.

Can't download VirusBarrier Express as it tries to open the browser and an invalid certificate message appears.

I am able to access sites now without getting redirected to facebook or some chinese sites. But, google and a couple of sites throw up an invalid certificate page. Its the same on Firefox as well.
I hope that it doesn't mean the DNS is compromised;..just a case of bad security certificates or something.

Thanks again.

Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

Open Keychain Access, located in the Utilites folder in the Applications folder.

Choose Keychain Access > Keychain First Aid.

Enter your user name and password.

Select Verify and click Start. Any problems found will be displayed.

If there are problems, select Repair, and then click Start.

To change the Keychain First Aid settings, choose Keychain Access > Preferences, and then click First Aid.

Last ditch effort so you can actually use your system to install programs, you might want to temporarily disable OSCP and CRL.

Open Keychain Access, Preferences, Certificates Tab, set both OCSP and CRL to Off.

NOW, see if you can login to the AppStore and install the VirusBarrier Express.

IMPORTANT: UNcheck the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.
This is an important security change that needs to be done. It can be circumvented by malware.

Does any of this help?

Edited by LilBambi, 09 February 2014 - 11:57 AM.added line about Keychain First Aid and disabling OSCP and CRL

I haven't attempted changing DNS servers yet. Wasn't sure if switching back and forth is easy to do cos all of the info that I had been reading was doing my head in.

I don't know how to restore the root certificates back to default.
I tried changing the google certificate to blue manually though, it still says certificate invalid.(not going through the keychain method that is). So, everytime I type in google I have to check the " always trust google.co.in ...." thing all over again. Not all sites work this way though.

Have tried Keychain First Aid. Found no problems.

Unable to connect to appstore even after setting OCSP and CRL off.

And lastly, don't have Lion install USB drive. Looks like I've lost the thing with all the moving out etc.

There's something else I need to ask. What are the token signing public keys??Two of those certificates are in red along with macupdate and some others. Could you tell me how to restore them back please?

Hoping to hear soon.

Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

One thing that some were asking is that folks check the Date and Time on their Mac to ensure it's correct since certificates have dates they are valid. Some folks that was the case, but not a lot, but certainly worth checking on.

I solved this on my wife's computer by resetting the security certificate settings. This might help others:
Close all windows.

Keychain Access -> click on System Roots on the left, and then click on Certifcates on the bottom left.

Check to see if any of the certificates on the right have the blue "+" symbol - this means they have custom trust settings.

There is a bug in changing the policies, so you'll have to change them via the method below. Changing them just by changing the access to "system defaults" doesn't seem to save. The method below worked for me.

Double-click on each certificate with the custom setting (blue "+"), expand the section labled "trust". Change the "Secure Sockets Layer (SSL)" setting to "no value specified". Close window - you should be prompted for the password. Double-click on the certificate again, expand trust, change the "When using this certificate" setting to "Use System Defaults". Close window, and re-enter password.

If you didn't re-enter your password upon closing the window, the setting didn't take. The blue "+" should disappear after a few seconds when it's set back to default. Once all of the certificates are changed back to default, restart Safari.

This solved all of the problems for my wife's computer with these issues and OSX 10.7.4

I found the same 'bug' when I was trying to save changes to certificates on my Mac noted in bold above.

BTW: I do not have ANY specific Google Certificates. I do a search on certificates and there are none specifically for Google. Google's Crt's are signed by GeoTrust Global CA as noted at this link. If you have one, perhaps you installed it and it's since expired? Check the certs from the link if that's the case.

Okay, I've tried all that. Doesn't seem to be working. In Safari,for the page to load, I simply have to hit on the continue button everytime I type in google or some other site that it says certificate is invalid for etc.. Firefox is mucking up now for google and related sites.

The Geo Trust certs seems to be ok. Theres another google (Google Internet Authority G2)that is not yet valid. A couple of apple certs are also the same.

Oh and I need to check with you again. Mac OSX version is at 10.7.5 and Safari at 6.0 something. But, when I tried to run updates it stopped about one -thirds into downloading/installing with a message saying "none of the selected updates could be installed.The update could not be verified. It may have been corrupted during downloading."
What does it mean by that?

Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

I am sorry we haven't been able to fix this. We have covered all the bases possible and it just doesn't work.

You can't even update your operating system. Your DNS appears to be hosed, your Certificates are mucked up and you don't even know if you are getting to the right places or if you are being sent to strange mimics of websites to make things worse.

I would not trust a system that is acting this way. If it were me, I would backup my data on an external hard drive and do a reinstall of the system as noted repeatedly for these types of problems.

First, since you can not find your Lion USB drive, I would give Apple a call. Lion is the last OS that can be installed via USB installation drive. So I would see about getting that so you can reinstall the system.

Apple service is quite ****ty where I live. Its taken a thousand calls(yeah, I am pretty sure it must be a thousand) to get them to say anything meaningful. I was told that they would see about trying the usb option which you mentioned but I would have to bring the laptop to the store etc.. That's scheduled for next week and Ill let you know how it goes.

Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.